Lab 3.2 - Putting it all together

If possible, take a snapshot of your VM before starting this Lab.
Make sure that the VM is not connected to the Internet.

Part 1

Exercise

  1. Find out what is the filename of the new file that the malware creates
  2. What is the absolute path of this new file?
  3. What is the new process that is created and executed?
  4. For this part of the lab, we will use the unpacked version of the sample ‘gtm4183’ from the previous lab (3.1).

Step 1

Start a new instance of IDAPro and click on ‘New’ in the startup window.

Step 2

Select the file that we ‘fixed’ in the previous lab and hit ‘Open’.

Step 3

Untick (Uncheck) the ‘Create imports segment’ option on the following window and hit ‘OK’ after that.

Step 4

Let the file load - it will take some time. It’s fully loaded once you are presented the ‘IDA-view - Graph mode’.

Step 5

Click on the ‘Import’ tab and see if you can now see the imports loaded in there. You should be able to see the imports now.

You analysed the same file (packed version) in Lab 3.0 - Task 3. Now that we have unpacked the malware and loaded the new ‘fixed’ version in IDA Pro, we are able to see the imports (API calls) and we can now analyse them.

Part 2

Further Analysis

In this section, we look at how to analyse code in IDA Pro and make it easy to understand and read for yourself as well as your team. We take a deeper look into Sub-routines, Function calls and how to manage your analysis process as you move through the code.

Sub Routines

We take a ‘work your way backwards’ approach in this section of the lab.

File Operations

We take a look at all the functions that are being called by the malware that are required for ‘file operations’. These calls accomplish tasks suck as file-creation, file-copy etc.

Step 1

Go to the ‘Imports Section’ and search for ‘CreateFileW’.

Step 2

Double-click on the import and it should take you to the Call in the ‘data’ section of the code.

Right-click on the call and go to ‘Jump to xref…’ and you’ll see all the refs to this call.

Select the first one and hit ‘OK’.

Step 3

You’ll be taken to the actual call in the code once you hit ‘OK’ in the previous step.

Scroll up to start of subroutine

Step 4

Click on ‘View’ > ‘Open Subviews’ > ‘Function Calls’.

You should be able to see a few calls that are related to file operations. This tells us that most of the file operations are taking place in this section of the code.

Step 5

Right-click on ‘sub_40869A’ and select ‘Rename’ option in the menu.

Rename the function as ‘[Initials]_File_Ops’ and hit ‘OK’.

Confirm that the new name of the function is now what you just changed it to.

Confirm that the name has changed in the functions section as well.

Step 6

Repeat the process for: sub_401B47

Find the function:

Check the function calls:

Change the function name:

Confirm name change:

Step 7

Close the project in IDA Pro.

Make sure you ‘Pack Database’ and then hit OK.

Step 8

Confirm that the new IDA Database has been saved.

Step 9

Double-click on the IDA Database file and confirm that it loads the entire project in IDA Pro.

Confirm that your new function names are still there.

You have now completed the lab. In this lab, you learnt:

Looking at imports in IDA Pro

Locating functions that deal with specific operations

Finding collections of calls that perform similar tasks and renaming the functions to reflect that

Saving the analysis as a file (IDA DB)

Using IDA DB files to share/continue/resume analysis

Bonus Lab

Repeat the above process for all the Encryption Function Calls.

List all the API calls in the right order.

Provide the entire subroutine in graph format in the report.